Galaxy Credit card

Information on personal data processing of data of natural persons by DSK Bank AD

1.1. DSK Bank AD is a commercial company, registered in the Commercial Register and the Register of Non-Profit Legal Entities with the Registry Agency with UIC number 121830616 with headquarters and address of management: 1000 Sofia, 19 Moskovska Str., tel. *2375 / 0700 10 375; fax: (+359 2) 9076 499; e-mail: call_center@dskbank.bg; website www.dskbank.bg. As a Data Controller it operates in strict compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the Personal Data Protection Act. DSK Bank is part of OTP Group which provides financial services in Central and Eastern Europe. DSK Rodina, DSK Leasing, OTP Leasing, DSK Asset Management, DSK Dom and DSK Ventures are part of DSK Group in Bulgaria.

Contact details of the Data Protection Officer: e-mail: DPO@dskbank.bg.

1.2. This information applies to the processing of personal data of: (a) persons who conclude a bank financing agreement and /or a contract for securing such an agreement (guarantee, pledge, mortgage), or who apply for such a contract, incl. request for personalized and non-personalized offers; (b) persons submitting a request for conclusion of an agreement other than the one under letter (a) or who apply for such a contract, incl. request for personalized and non-personalized offers; (c) persons who conclude single performance contracts with the Bank, for example, contracts under which single payment services are provided; (d) persons who submit a complaint/ request/ offer without being customers of the Bank; (e) seller of real property - where the buyer of the property which will be used as collateral under the loan agreement receives financing; (f) persons whose debts to another creditor are refinanced with a loan from the Bank; (g) persons who submit a request for verification of liabilities for local taxes and charges; (h) heirs of the persons under the above points; (i) representatives of the persons (natural and legal) under the above points; (j) persons-non-clients of the Bank, whose data are processed in connection with the use of payment systems and payment schemes, including the use of P2P service by mobile number.

2.1.1. DSK Bank processes the following personal data and categories of personal data of individuals referred to under p. 1.2. letters (c) to (i): (a) names, identification number, date and place of birth, nationality, type, number and copy of identity document; (b) contact details, for example: addresses, landline/mobile phone, e-mail; (c) demographic data, for example: gender, age, place of residence; (d) physical identity data - facial images, voice, handwriting. (e) data on the economic situation, for example, existence of credit obligations; (f) tax and social security information, such as public payment obligations and place of employment.

2.1.2. In addition to the data under p. 2.1.1., in respect of clients of the Bank under p. 1.2. letters "a" and "b", the Bank also process the following data: (a) location; (b) data about place of employment, position/occupation; (c) student information, for example: educational institution, faculty number, professional field, specialty, course, full-time/ part-time education; (d) data about used and rejected products/services of the Bank and of third parties - contractors of the Bank; (e) for persons who have expressed a wish or use payment services for providing information on account and for initiating payments - financial information on accounts, account movements and stocks with other payment service providers; (f) biometric data.

2.2. For the purposes of bank financing, as well as for direct marketing of products and services of the Bank, besides the data under p. 2.1.1. and 2.1.2., DSK Bank also processes the following personal data of individuals under p. 1.2. letters "a" and "b": (a) data on the economic situation which DSK Bank possesses in connection with previously used products and services of the Bank as well as data obtained from the NSSI information databases /only with the consent of the client for this purpose/, CCR, NRA and the Commercial Register and the Register of Non- Profit Legal Entities, for example: income, owned property, indebtedness; existence of public payment obligations, related legal entities;; (b) civil status data available to DSK Bank in connection with used products and services of the Bank, for example: marital status, including those obtained from the information databases of DG GRAO (only with the client's consent to this)..

2.3. In respect of the representatives of natural persons and corporate customers, the Bank processes the following data: (a) name and identification number; (b) date and place of birth, citizenship; (c) identity document; (d) contact details, for example: addresses, landline/mobile phone, e-mail; e) location; (f) data relating to place of employment, position/occupation; (g) physical identity data - facial images, voice, handwriting.

2.4. DSK Bank processes the following personal data of the actual owners of a corporate customer: name, identification number, date and place of birth, citizenship, identity document, permanent address.

2.5. For the persons under p. 1.2. letter (j) the Bank processes the following personal data: names and phone numbers included in the list of contacts on a DSK Bank customer's mobile device under p. 1.2., letter (b).

3.1. The personal data of natural persons under p. 1.2., letter (a), (b) and (h) is processed for the purposes of: (a) conclusion and execution of a contract with the Bank to which the individual is a party/representative of another person; execution of a contract under which the Bank or the natural person subrogates to the rights/succeeds in the rights and/or obligations another person, as well as for actions preceding and warranting the conclusion of a contract; (b) exercise of legal rights and obligations of the Bank in connection with the conclusion and performance of the contracts under letter (a); (c) realization of the rights and interests of the Bank which has justified advantage over the interests of natural persons, including performing of direct marketing trough research on proposed and/or used products and services, as well as offering by telephone, mail or other direct means products and services of the Bank for which it is assumed that the client could have expected offers, considering the Bank's products and services already used. (d) direct marketing of products and services of the Bank, except for the cases of letter "c" as well as third party products and services, incl. subsidiaries of the Bank offered by it under a contract with these persons - only with the consent of the individual; (e) automatic exchange of financial information under Chapter XVI, Section IIIa of the Tax and Social Insurance Code, comprising of automated processing of personal data by applying the due diligence procedures under the Tax and Social Insurance Code.

3.2. In connection with the conclusion of a bank financing agreement and /or a contract for securing such an agreement (guarantee, pledge, mortgage), except for the purposes under p. 3.1., the personal data of natural persons upon point 1.2. letter (a), (b) and (h) is processed also for the purposes of: (a) consideration of a request for financing, valuation of collateral, performance of a creditworthiness analysis which includes, among other checks, requesting and receiving data from official national registers, such as registers maintained by the NSSI, the CCR, the NRA, from databases of the Bank, etc., and other preparatory steps for the conclusion of a financing agreement and agreements for the establishment of collateral; (b) establishment and renewal of the collateral under the contract; (c) taking out and maintaining property insurance as required under the contract or if the Bank, at its own discretion, takes out insurance against the risk assumed.

3.3. The representative’s data under p. 1.2., letter (i) is processed for the purposes of p. 3.1., letters (a), (b) and (e) for the for the realization of rights and interests of the Bank that have a justified advantage over the interests of natural persons, and in the cases of concluding a contract for bank financing and / or a contract for its collateral (guarantee, pledge, mortgage) on behalf of the represented person - and for the purposes of: (a) consideration of a request for the use of funding and other preparatory actions for the conclusion of a financing contract and contracts for the establishment of collateral; (b) the establishment and renewal of the collateral under the contract; (c) the conclusion and maintenance of property insurance where required under the contract or when the Bank, at its own discretion, undertakes insurance of the risk assumed.

3.4.1. The Bank processes personal data to individuals under p. 1.2. letter "c" to "g" for the following purposes: a) conclusion and performance of single performance contracts under which the natural person to whom the data relate is a party to or has concluded such a contract as a representative of another person, including for actions that preceded and warranted the conclusion of such a contract; (b) taking preparatory steps for the conclusion of a bank financing agreement for refinancing of credit obligations of the natural person whose personal data are being processed; (c) requesting and obtaining data from official national registers (e.g., the NRA register for public liabilities) relating to the owner of the real estate, for example, in the event of financing received by the buyer of the property where the property will also be a used as collateral under the loan agreement; d) analysing issues raised in a complaint/ request/ proposal and preparing an answer; e) execution of legal rights and obligations of the Bank.

3.4.2. The Bank processes personal data and categories of personal data under p. 2.1.2, letter (f) only for the following purposes: a) for the purposes of remote identification upon initial registration for access to electronic channels and use of the Bank's products and services through a mobile application, only after receiving explicit consent from the data subject. b) for the purpose of signing documents in front of an employee of the Bank with an electronic pen, with the consent of the data subject.

3.4.3. The Bank processes personal data under p. 2.5. for the purposes of using payment systems and payment schemes, including using a P2P service by mobile number.

3.5. The personal data of the actual owners of a corporate customer is processed for identification purposes and for the purposes of enforcement of anti-money laundering and terrorist financing measures in fulfillment of the Bank's legal obligations.

3.6. For security purposes and in compliance with the normative requirements, video surveillance is carried out in Banks offices.

4. The processing of personal data shall be based on: (a) a contract with the Bank or a third party through the Bank, to which the natural person is a party/representative of another person, including for actions that preceded and warranted the conclusion of such a contract and undertaken at the request of the person; or (b) the consent of the natural person, or (c) realization of rights and interests of the Bank which have justified advantage over the interests of natural persons, or (e) execution of legal rights and obligations of the Bank.

5.1. The personal data of the individuals under p.1.2., letters (a), (b) and (h) as well as data of representatives of natural and legal persons, collected and processed by the Bank, may be provided to the following categories of recipients of personal data: (a) persons entrusted with the preparation, printing, assembling, delivery (including via SMS/Viber communications or electronically) of written correspondence and/or information materials of the Bank; (b) persons entrusted with bank card issuance; (c) persons with whom the Bank has concluded a contract for joint development and servicing of products and/or provision of services; (d) persons whose services the Bank uses in providing investment and additional services to clients; (e) persons and institutions with which the Bank has concluded loan portfolio guarantee contracts and/or individual loan guarantee contracts; (f) persons entrusted by virtue of a contract to assist the Bank in the management and collection of its receivables; (g) persons to whom the Bank proposes to sell its receivables; (h) persons to whom the Bank has given notice of early repayment under loan agreements or other form of financing (e.g., notaries, private enforcement agents); (i) external contact centers; (k) traders who are intermediaries in the provision of loans or other banking products and services by virtue of a contract concluded with the Bank; (l) other companies from the group of DSK Bank (OTP Group) where it is required for the purposes of decision-making, administration and control in connection with the provision and execution of the services provided by the Bank, or these companies; (m) persons to whom in connection with the processing for the purposes specified under p. 3 the Bank has entrusted the processing of personal data for organizational reasons other than those mentioned above, for example: development and maintenance of the Bank's systems; storage of data; control of access to the premises of the Bank, etc; (n) bodies, institutions, regulated markets of which the Bank is a member – with regard to the realization and protection of the rights and interests of the Bank or as well as other persons to whom the Bank is required to provide personal data in accordance with a statutory requirement; (o) payment organizations and systems serving cashless payments and transfers, including with payment instruments, as well as external providers, through applications of which bank cards issued by DSK Bank are digitized, when the data subject has requested the digitization service; (p) payment service providers for providing information on an account, payment service providers for initiating payments and providers granting a payment service upon confirmation of the availability of funds when using a payment instrument, which are integrated into the Bank's systems in accordance with the law this; (r) insurers with whom the Bank has a contract and their partners for the purpose of concluding, maintaining and realizing property insurance, as well as persons to whom the Bank assigns a valuation of collateral.

5.2.1. The personal data of individuals under p. 1.2., letters (c) to (g) and letter (j) collected and processed by the Bank may be provided to the following categories of recipients of personal data:

(a) bodies, institutions, regulated markets of which the Bank is a member – with regard to the realization and protection of the rights and interests of the Bank (e.g., conciliation commissions, courts) or as well as other persons to whom the Bank is required to provide personal data in accordance with a statutory requirement; (b) persons entrusted with the preparation, printing, assembling, delivery (including via SMS/Viber communication or electronically) of written correspondence; (c) external contact centers; (d) other companies from the group of DSK Bank (OTP Group) where it is required for the purposes of decision-making, administration and control in connection with the provision and execution of the services provided by the Bank, or these companies; (e) payment organizations and systems serving cashless payments and transfers, including with payment instruments. (f) persons to whom the Bank assigns the performance of real estate appraisals.

5.2.2. Depending on the respective legal assumption, the personal data of natural persons under p. 1.2., letters (c) to (h) and letter (j) may be provided to DSK Bank by the data subjects themselves or through the following groups of third parties: (a) the personal data of individuals whose liabilities will be refinanced shall be obtained from the creditor through the borrower. (b) the personal data of natural persons receiving funds in the Bank (e.g., from dividend payments, rent, indemnities, etc.) shall be obtained from the originator of the transfer with whom the Bank has contractual relations for the provision of services related to remittance of amounts payable to the recipient; (c) the personal data of the heirs of the Bank's clients may be obtained by other heirs, notaries, executors of wills, bodies engaged in the collection of receivables of the bank within their legal powers; (d) the personal data of the natural persons under item 1.2., letter (i) may be obtained from institutions or legal entities offering access to publicly available registers such as the Commercial Register and the Register of Non-Profit Legal Entities and similar. (e) the personal data of individuals under p. 1.2., letter (j) are received by a customer of DSK Bank under p. 1.2., letter (b).

6. For the purposes of assessment by the Bank of the possibilities for use of products and services of the Bank, which are the most suitable products and services for the client, as well as the specific conditions for using these products and services, the personal data of the persons may be subject to automated processing, as a result of which an automated decision is made. Automated processing is also a way to assess the creditworthiness of individuals. It includes performing various checks, including in official registers for the country, as well as databases of the Bank, which, based on pre-set criteria, lead to a positive or negative decision to use a banking product or service. This type of data processing is necessary for the conclusion of the contract for the respective product, and in some cases, it can also be applied for the purposes of preparing marketing offers with credit limit. Personal data of individuals may also be subject to automated processing in connection with the application of measures against money laundering and terrorist financing. In the latter case this type of processing is necessary to comply with the requirements of applicable legislation in this area that leads to to the entry or termination of business relationships and the prevention of fraud.

In case of applied automated decision-making, the persons under point 1.2., letter (a) and (b) have the right to express their point of view on the decision, to challenge it, as well as to request human intervention in the decision-making process.

7.1. The provision of personal data is voluntary where such data are necessary for the conclusion of a contract with the Bank. If the data is not provided, the Bank will not be able to provide a product or a service. In the case of already established commercial or professional relations with the Bank, the provision of personal data may constitute a contractual or statutory requirement. In such cases, failure to provide the required data may result in termination of the contract or the established commercial relationship. The consequences of non-consent are specified in the document in which consent is given or are expressly mentioned by the Bank prior to the consent being given.

7.2 The Bank does not consider anonymous complaints/ requests/ proposals.

8.1. Data subjects have the right of access, the right to request correction, deletion or limitation of the processing of their personal data processed by the Bank, as well as to object to the processing of their data when it is processed on the basis of the realization of rights and interests of The Bank, which have a justified advantage over the interests of natural persons.

8.2. Data subjects have the right to receive the data from the Bank in the form and manner specified in the law and transfer them to another controller. Data subjects have the right to request the Bank to transfer directly their data to another controller where technically feasible.

8.3. Data subjects may at any time object to the processing of their data for the purposes of direct marketing, and to withdraw the consents given by them in one of the following ways: 1. By making a call to: 0700 10 375 2. By sending an e-mail to: call_center@dskbank.bg 3. At each office of the Bank. 4. Through the Feedback section of DSK Bank's electronic channels in case they have a contract for access to them.

Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to withdrawal. Despite withdrawal of consent, personal data may be processed by the Bank for other purposes if there is legal basis to process the data under p. 4 other than consent.

8.4. Natural persons may exercise their rights under item 8.1. and 8.2. on the addresses for correspondence as referred to under p. 1.1. (Personal Data Protection Officer) and p. 8.3. after proper identification, as well as through DSK Bank's electronic channels. When exercising rights by e-mail, requests should be signed with a qualified electronic signature (QES)..

9. Natural persons may exercise their right of appeal to the Commission for Personal Data Protection, which is a data protection supervisory authority.

Personal Data Protection Commission: Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., e-mail: kzld@cpdp.bg website: www.cpdp.bg

10. DSK Bank stores collected personal data within the following time frames: (a) where the data is processed on the basis of a request for use of a product/ service, for a maximum period of 5 years as of the date of submission of the request for conclusion of a contract, if the request is not approved; (b) where the data is processed on the basis of a contract - for a period of 5 years as of the beginning of the calendar year following the year of termination of the relationship; transfer of receivable - 5 years after repayment of the claim to the transferee, but not earlier than 5 years after the final settlement of all legal proceedings related to it; 5 years from the beginning of the calendar year following the year of the termination of the relations between the Bank and the buyer of real estate - in the event of processing the data of a seller of a real estate;

(c) where the data is processed on the basis of consent, until withdrawal of the consent; (d) where the data are processed in connection with realization of rights and interests of the Bank which have a justified advantage over the interests of the natural persons - until the right is extinguished and/or the interest disappears; (e) a period of 5 after the provision of the respective single service; (f) a period of 3 years after the preparation of a reply to a complaint/ request/ proposal; (g) a period of 5 years from the beginning of the calendar year following the year of termination of the relationship between the Bank and the person who has refinanced another party's credit obligation, in the case of processing the data of individuals whose credit obligations have been refinanced.(h) a period of 3 years for the recordings of the calls in the Contact Center. (i) a period of 2 months for the recordings from the performed video surveillance. (j) a period of 5 years from the beginning of the calendar year in which the transfer was made.

Once the deadlines have expired, if there is no other legal basis for processing of the data, it shall be deleted. In order to obtain and analyze information related to the products and services used and to improve the service, the Bank may delete only part of the data. In such a case, it shall continue to store a portion of the data that prevents natural persons from being subsequently identified.

Updated on 01 October 2023.

Internal Use Conditions for distance provision of financial services

"DSK Bank" AD is a commercial company registered with the Commercial Register and the Register of Non- Profit Entities at the Registry Agency under UIC 121830616. Registered headquarters and address of the company. Sofia, 19 Moskovska Str., phone: 0700 10 375, fax: (02) 980 64 77; e-mail: call_center@dskbank.bg; BIC/SWIFT: STSABGSF.

"DSK Bank AD performs banking activities on the basis of license № B 03, issued by the Bulgarian National Bank, address: Sofia, 1 "Knyaz Aleksandar I" Sq, which supervises the operations. "DSK Bank AD performs investment brokerage pursuant to Decision No. RG-03-193 of the State Securities Commission, at present the Financial Supervision Commission (FSC), address: Sofia, 16 Budapest Str., which supervises the operations.

The Bank's usual working hours with customers on official business days are from 8:00 to 17:00 h.

I. Conclusion of distance contracts for financial services

1. DSK Bank concludes with its customers - private individuals the following types of contracts for the distance provision of financial services: Opening and servicing current accounts in BGN, USD or EUR; Issuance and servicing of debit cards, virtual cards, additional credit cards; Loans for personal consumption; Access to electronic channels; Trading in shares of investment funds; Provision of brokerage services; Transactions with derivative financial instruments; Trust Management and Investment Advice. 2. Prior to signing any of the contracts referred to in Clause 1, the Bank shall provide the Customer with the documents required by law for the relevant contract, which the Customer shall read before signing the contract. The Customer shall indicate his/her consent to the documents by ticking the relevant space and/or by signing the documents using an electronic signature. 3. The pre-contractual information provided by the Bank shall be valid as of the date it is provided. The parameters of the services, the method of providing the services, and the fees and commissions payable by the Customer for the services are set out in the pre-contractual information provided to the Customer for the relevant type of service. The current General Terms and Conditions, if applicable for the relevant product/service, the Tariff of DSK Bank AD, as well as information on the processing of personal data of individuals by DSK Bank AD, can be found on the website www.dskbank.bg and in any branch of the Bank. The Customer shall not pay any other additional expenses in relation to the specific distance service contract. 4. The contracts under Clause 1 and any other documents relating to the contracts, shall be signed by the Customer with an electronic signature within the meaning of the Electronic Document and Electronic Certification Services Act. 5. The contract for the service selected by the Customer shall be deemed to have been concluded after it has been signed by the Customer and the Bank. The relevant service may be provided only after the contract has been signed in accordance with the preceding sentence. The Contract, together with any related documents signed by the Customer and/or the Bank, are available to the Customer in unalterable form for review, downloading and printing. 6. The consumer shall have the right, free of any compensation or penalty and without stating a reason, to withdraw from the distance contract concluded under Clause 1 (except for the following contracts for: trading in shares of investment funds; provision of brokerage services; transactions with derivative financial instruments; trust management; provision of investment advice) within 14 days from the date of conclusion of the contract. The right of withdrawal shall be deemed to have been exercised provided that the Customer (either in person or through a person specifically authorised by a notarised power of attorney) submits a written notice to that effect on paper at any branch of the Bank before the 14-day period expires. 6.1. Within 7 days following the notification, the Customer shall pay the fees, commissions, and other expenses for all the services used by him under the Contract which were provided to him before the period for the exercise of the right of withdrawal expired, based on his express consent to these Terms and Conditions, including monthly bank account service fees, bank card issuance fees and fees for executed payment transactions. 6.2. Within 30 days following the notification for exercising the right of withdrawal, the Customer shall repay the drawn credit, respectively the credit limit by means of an additional credit card and pay the agreed interest and other expenses, under the terms of the concluded consumer credit contract, respectively for the issuance and

Internal Use servicing of a revolving credit card. The right shall be exercised in accordance with the terms and conditions set out in the Contract and/or the General Terms and Conditions for the relevant type of credit. 6.3. Where the Customer exercises the right to withdraw from a contract or a supplementary agreement for issuing a bank card and if the Customer has received the card, the Customer must return the card upon submission of the relevant notice to terminate the contract within the period referred to in clause 6.

II. Submission of electronic applications for using credit products

7. DSK Bank accepts electronic applications for credit products. Based on a received application and the data specified therein, the Bank may pre-approve or refuse to provide the requested credit product. The requested products can be used only after signing the respective contracts. The electronic application shall be valid for 14 calendar days following the submission date. 8. Pre-approval for the provision of a credit product is not binding on the Bank and is not an offer. Where the application is submitted through the Bank's website or through its electronic channels, the validity of the approval shall be 30 calendar days from the date on which the Customer has been notified thereof, and 3 months when submitted through the DSK Home platform. If the last day of the term falls on a non-business day, the first following business day shall be considered the deadline. A loan contract for the approved credit product may be concluded within the specified period. The Bank shall provide the pre-contractual information required by law prior to entering into the relevant loan contract. 9. In case of an application to use credit via a bank card, the card can be obtained at a bank office specified by the Customer upon signing the credit card issuance and servicing agreement. 10. In the event of refusal to grant credit, including where the refusal is based on the results of a check in the Central Credit Register or in another database, information on this will be received in the electronic channels of the Bank, at the telephone number or e-mail address indicated by the Customer and/or in the account registered in the Credit Portal of the Bank (in the case of an application submitted through the online platform DSK Home). 11. By accepting these Terms and Conditions, the Customer declares that he/she is informed that for the validity period of the application submitted electronically, the Bank shall process his/her personal data for the purpose to draft the loan contract. Upon expiry of this period and in the event that no contract has been signed and there is no other basis for processing the data, the data will be deleted. 12. The applicable Bulgarian banking and general legislation shall apply to the relations established between the Customer and the Bank prior to concluding the distance contract for the respective type of service pursuant to Clause I or Clause II, and disputes in connection with these relations shall be resolved by the competent Bulgarian court.